Page MenuHomePhabricator

Provide other checksums than MD5 and SHA-1 for dumps
Open, LowPublic


Given the recent publication of the "SHAttered" SHA-1 collision proof by people at Google and the Centrum voor Wiskunde en Informatica in Amsterdam, wouldn't it be legitimate to provide safer checksums than the ones currently provided (MD5 and SHA-1) ? Granted, they've been historically used for that purpose, but now that both can be collided with legit-looking payloads with the same hash as any given payload, it would probably be best to either provide a third checksum or get rid of these old checksum hashing algos entirely and switch to a third.

If anything, we could use algorithms in the SHA-2 family, like sha256 or sha512 (for which sha256sum and sha512sum packages are available since ubuntu 12.04 « Precise Pangolin ») ; or in the SHA-3 family (for which a unique sha3sum package is available since Ubuntu 15.10 « Wily Werewolf », using a command line parameter to choose the exact algorithm and size of the resulting hash). Or even both.

Considering we've abandonned SHA-1 for our SSL/TLS certificates, (as we should have of course), it would make sense to, if not abandon them outright, at least provide safer alternatives for the checksums of dumps we provide.

Event Timeline

We provide these checksums so that folks can verify that their data download was successful. Someone who can replace a dump file for download with a malicious copy can also replace the relevant entry in the list of md5/sha1 sums. We can adopt sha256 eventually but there's no rush.